License – CC-BY-SA

Beware however that this refers only to parts which are obviously written by me and do not have any other information about licensing. Quoted text, pictures and other content created by others is copyrighted by the corresponding authors. If you are in doubt, ask before republishing any content.

Pages

Skype is following your links – that’s proprietary for you

Yesterday it was reported that Skype, owned by Microsoft these days, seems to automatically follow each exchanged https link. Besides the fact that this is a huge security and personal rights problem in its own it again shows how important it is to not trust a proprietary system.

The problem, skin deep

Heise reported yesterday that Skype follows https links which have been exchanged in chats on a regular basis. First and foremost, this is a privacy issue: it looks like Skype, and thus Microsoft, scans your chat history and acts based on these findings on a regular base. That cannot be explained by “security measures” or anything like it and is not acceptable. My personal data are mine, and Microsoft should not have anything to do with as long as there is no need!

Second, there is the security problem: imagine you are exchanging private links, or even links containing passwords and usernames for direct access (you shouldn’t, but sometimes you have to). Microsoft does follows these links -and therefore gains full access to all data hidden there. Imagine these are sensitive data (private or business), you have no idea what Microsoft is going to do with them.

Third, there is the disturbing part: Microsoft only follows the https links, only the encrypted URLs. If this action would be a security thing, they would surely follow the http links as well. So there must be another explanation – but which one? It is disturbing to know that Microsoft has a motivation to regularly follow links to specifically secured content.

The problem, profound

While these news are shocking, the root problem is not Skype or the behavior of Microsoft – I am pretty sure that their Licence Agreement will cover such actions. And it is most likely that others like WhatsApp, Facebook Chat or whatnot do behave in similar ways. So the actual problem is handing over all your data to a company which you have no inside to. You have no idea what they are doing, you have no control about it, and you cannot even be sure that nothing bad is done with it. Also, most vendors try to lock you in with your service, so that switching away from them is painfully due to used workflows, tools and social networks.

The solution

From my point of view, my personal perfect solution is hosting such sensitive services on my own. However, that cannot be a solution for everyone, and I for myself cannot provide for example the SLAs others need.

Thus I guess the best solution is to be conscious about what you do – and what the consequences are. Try to avoid proprietary solutions where possible. For example for chats, try to use open protocols like XMPP. Google Talk is a good example here: company based, but still using open protocols, they even push the development forward (Jingle, …). Or, if you upload files to web services, make sure you have local backup. Also, try not to upload sensitive data – if you have to, encrypt it beforehand. And if you use social networks, try to not depend on one of them too much, use cross posts for various services at the same time if possible.

And, last but not least: ask your service providers to establish transparency and rules for a responsible and acceptable usage of your data. After all, they depend on the users trust, and if enough users are requesting such changes, they will have to follow.

19 thoughts on “Skype is following your links – that’s proprietary for you”

Erm, isn’t the only feasable solution here end-to-end encryption? XMPP can be as open as you like, unless the data sent is encrypted, the server will be able to do evil things with it. Yes, even when the server provider told you he won’t do evil😉

Well, from my point of view the open protocol is the first step – with that you can use the clients you want, and these can include end-to-end encryption. Without the open protocol I am not sure if end-to-end encryption can be reliably and usable initiated.

Well, I think SIP based solutions are *not* an alternative! However, XMPP/Jingle based services should be working quite as well, as long as ICE really tunnels each and any NAT / firewall configuration. Have you given Jitsi a try recently? That is definitely on my test list.
However, Jitsi does not provide an Android client yet… so if alternatives are available depends on your needs.

Not sure of the details but it seems that Google just dropped / is about to drop XMPP support with their switch to Hangouts?
If that’s right, then can’t be recommended as an open protocol anymore and half of my friends aren’t going to be able to chat to me anymore😦

So what? We all know the fallacies of Skype but is there a better alternative? Right, NO. I have spent *days* configuring Psi+ and still haven’t gotten it working behind NAT. Telepathy is even worse. And Skype works beautifully with ZERO configuration.

Skype is bad for privacy but frankly I don’t care as long as it works.

As you might have read, the article is not only about Skype, but about other services as well. Regarding Skype – no, I haven’t had the chance to test other services more than skin deep. Regarding other services: yes, owncloud replaced dropbox, etc.